CyberArk acquires ViewFinity underscores endpoint privilege escalation's importance in privileged identity and access management

Andras Cser

Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management.

Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and Thycotic do not have any, they usually partner with Avecto, and Bit9.

Today's acquisition will a) further reduce the already small number of eligible/acquirable endpoint privilege escalation vendors and b) create further differentiation between partial and full PIM suite providers.

Forrester’s Security & Risk Spotlight – Rick Holland

Stephanie Balaouras

Newly minted Vice President and Principal Analyst, Rick Holland, is one of the most senior analysts on our research team. But for those of you who haven’t had the opportunity to get to know him, Rick started his career as an intelligence analyst in the U.S. Army, and he went on to hold a variety of security engineer, administrator, and strategy positions outside of the military before arriving at Forrester. His research focuses on incident response, threat intelligence, vulnerability management, email and web content security, and virtualization security. Rick regularly speaks at security events including the RSA conference and SANS summits and is frequently quoted in the media. He also guest lectures at his alma mater, the University of Texas at Dallas.

Rick Holland Image

Rick holds a B.S. in business administration with an MIS concentration (cum laude) from the University of Texas at Dallas. Rick is a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), and a GIAC Certified Incident Handler (GCIH).

Read more

What Does It Mean To Have Privacy As A Competitive Differentiator?

Heidi Shey

In 2015, 26% of global security decision makers consider privacy as a competitive differentiator for their organization.* But what does that even mean? And how would an organization achieve this?

Last week I was out in Las Vegas for Privacy. Security. Risk. and moderated a panel on this topic. Panelists included Michael McCullough (CPO, VP, Enterprise Information Management and Privacy, Macy's), Nathan Taylor (Partner, Morrison & Foerster), and Jamie May (VP of Operations, AllClear ID). Two things were clear:

  1. The ability and desire to use privacy as a competitive differentiator heavily depends on the nature of the business. For example, a cloud provider would approach this differently vs a company that sells gasoline.
  2. Treating privacy as a competitive differentiator vs marketing/selling with it are separate concepts. Some organizations may choose to embrace both. Treating privacy as a competitive differentiator has more to do with corporate culture, privacy practices, and your privacy team. The notion of responsible information management came up several times during the panel session. There is also risk involved with marketing/selling with privacy as a competitive differentiator; if you make a promise, you must be able to fulfill it.
Read more

10 Questions To Help Differentiate Incident Response Service Providers

Rick Holland

I frequently help Forrester clients come up with shortlists for incident response services selection. Navigating the vendor landscape can be overwhelming, every vendor that has consultant services has moved or is moving into the space. This has been the case for many years, you are probably familiar with the saying: "when there is blood in the water." I take many incident response services briefings and vendors don't do the best job of differentiating themselves, the messages are so indistinguishable you could just swap logos on all the presentations.

Early next year, after the RSA Conference, I'm going to start a Forrester Wave on Incident Response services. Instead of waiting for that research to publish, I thought I'd share a few suggestions for differentiating IR providers.

  1. What is their hourly rate? This is typically my first question; I use it as a litmus test to figure out where the vendor sits in the landscape. If the rate is around $200 you are typically dealing with a lower tier provider. Incident response is an area where you get what you pay for. You don't want to have to bring in a second firm to properly scope and respond to your adversaries. 
  2. How many cases have they worked in the previous year? You want to hire an experienced firm; you don't want to work with a consultancy that is using your intrusion to build out the framework for their immature offering. While volume alone shouldn't be the key decision point, it does give you an objective way to differentiate potential providers.
Read more

Forrester’s Security & Risk Spotlight – Chris Sherman

Stephanie Balaouras

Forrester’s Security & Risk Analyst Spotlight - Chris Sherman

The title hasn’t yet been put to client vote, but Chris Sherman may be the renaissance man of Forrester’s S&R team. As an analyst, Chris advises clients on data security across all endpoints, giving him a broad perspective on current security trends. His experience as a neuroscience researcher at Massachusetts General Hospital also gives him insight into the particular challenges that Forrester’s clients in the healthcare industry face. Lastly, when he hasn’t been writing about endpoint security strategy or studying neural synapse firings, Chris flies Cessna 172’s around New England. Listen to this week’s podcast to learn about recent themes in Chris’s client inquiries as well as the troubles facing a particular endpoint security technology.

Chris Sherman Image

Read more

Blackberry says: "I'm Not Dead YET!"

Tyler Shields

Once proud Unicorn company Good Technology has been acquired by Blackberry for $475M. This transaction was annouced Friday 9/4/15 and has been a buzzworthy topic in the mobile security arena ever since. The acquisition demonstrates Blackberry's continued resolve to execute on a software centered strategic turn around plan. This acquisition is the biggest in Blackberry history and is an excellent fit in both features as well as company DNA. Blackberry refuses to die and is making major moves, such as this, to expand it's position in a market that will only be lucrative to the leading few vendors. It's going to be feast or famine for Blackberry going forward.

Blackberry and Good are both security minded companies having created similar solutions based on full stack security. Everything from network operations centers up through application layer security controls were implemented, albeit in different delivery platforms. Both offerings have fallen on hard times in the recent past with Blackberry having difficulty overcoming its failures in the hardware space and Good falling prey to a rapidly commoditizing market around mobile management technologies. 

Read more

The State Of Business Continuity – We Have A Long Way To Go To Achieve True Resiliency

Stephanie Balaouras

Aug. 29, 2015 marked the 10-year anniversary of Hurricane Katrina. During the storm and the ensuing chaos, 1800 people lost their lives in New Orleans and across the Gulf Coast. Many of these deaths, as well as the extensive destruction, could have been avoided or minimized if there had been better planning and preparedness in anticipation of just such an event, and if there had been much better communication and collaboration throughout the crisis as it unfolded. Responsibility falls on many from government officials (at every level) to hospitals to businesses to individuals. If there is any silver lining to such a destructive event, it’s that it forced many in the US to be much better prepared for the next major catastrophe. Case in point, in October 2012, Superstorm Sandy barreled through the Caribbean and the eastern US, affecting almost half of the states in the US. The storm caused unprecedented flooding and left millions without access to basic infrastructure and thousands without homes, but this time, about 200 people across 24 states lost their lives.

Read more

Security In The IoT Age: Makers Vs. Operators

Tyler Shields

Check out my latest research on IoT security: An S&R Pros Guide To IoT Security

Internet of Things (IoT) security is a hot topic among security and risk professionals. It seems as if every "thing" on the market is becoming smarter and more interactive. As the level of IoT device maturity increases so does the level of risk of data and device compromise. The scary thing is that we really have no idea what IoT devices are in our environment let alone the correct way to secure them. 

Both IoT product makers and IoT product operators need to understand the security implications of IoT devices. Security in IoT involves product makers rethinking how they create technologies, secure code and hardware, develop new offerings, and ensure the privacy of the data they collect. These areas of security are not typically areas that automobile, manufacturing, and retail technology makers have had to consider in the past.  The scale of IoT devices in each vertical is enough to employ a small army of developers who are yet not up to speed on the latest secure code and hardware concepts.

On the other side of the coin, enterprises have the unenviable position of implementing these poorly coded and built technologies. Overwhelming pressure will come from competing enterprises causing an increase in IoT adoption to improve business efficiencies. IoT will become pervasive, and mandatory, throughout every vertical from gas and electric to automotive. The threat landscape in these areas will be immense.

Read more

Automated Malware Analysis Wave - Kicking Off Soon

Rick Holland

In September, Kelley Mak and I are going to be kicking off our Automated Malware Analysis Wave. During a 3 - 4 month process, we will be evaluating the network based sandboxes of 10-15 vendors. If you would like the opportunity to participate, please contact Kelley Mak (kmak at forrester dot com) and Josh Blackborow (jblackborow at forrester dot com). They can send you the inclusion criteria. Since nearly every security vendor in the market has an AMA solution, not all vendors will be invited to particpate in the Wave. Our inclusion criteria are designed to ensure we evauate the vendors most capable of addressing Forrester's security and risk client base. 

For vendors interested in learning more about Forrester's perspective on automated malware analysis, please check out Pillar No. 1: Malware Analysis from Targeted-Attack Hierarchy Of Needs: Assess Your Advanced Capabilities.

Forrester’s Security & Risk Research Spotlight: Make Customers The Focus Of Your Security Efforts

Stephanie Balaouras

Since I first became the research director of the Security & Risk team more than five years ago, security leaders have lamented the difficulty of aligning with the business and demonstrating real business value. Over the years, we’ve written an enormous amount of research about formal processes for aligning with business goals, provided key metrics to present to the board, and developed sophisticated models for estimating security ROI. Yet for many, demonstrating real business value continues to be a significant challenge. If it wasn’t for the 24 hour news cycle and a parade of high profile security breaches, chances are good, that security budgets would have been stagnant the last few years.

Read more